VPN instructions for 4.2

Johnboy · December 27, 2023, 6:10pm

That’s exactly what I was looking for, but didn’t find anything.
During those 2 minutes I cannot even ping eg. 1.1.1.1, there seems to be no network connection.

I toyed a bit around and found out, when I disable “provides_network” the qube acts as expected and establishes an openvpn connection immediately.
Are you guys using debian(-minimal) or why am I the only one with this problem?

apparatus · December 27, 2023, 6:17pm

Personally I’m using debian templates and I didn’t try using it in fedora template.

Cat · February 12, 2024, 12:53pm

Kudos @1choice! This is exactly what I have been looking for!! Thank you for putting this together.

I was thinking about two clarifying questions

1) Would you suggest any changes to the provider’s .ovpn config to improve privacy and security?

For example the default sample here:

Has an extra “redirect-gateway def1” should I add it as well?

2) Would limiting ongoing connection on sys-vpn only to the VPN provider using qvm-firewall enhance the security of this setup?

Any other idea’s on how to absolutely prevent leaks ?

Thank you

dcartier · February 16, 2024, 12:02pm

Thanks for the patches to get VPNs working under 4.2 like they did under 4.1

I noticed that the Github site does not include the needed replacement files if you follow the Quick Setup Guide, resulting in a non working VPN. I only got it working after I saw this message and realized that there were more steps. Perhaps the Quick Setup Guide could include the steps above.

It all worked out in the end, so again, thanks.

Sanir · June 3, 2024, 5:16pm

Please help me Qubes R4.2.1 | Qubes-vpn-support | No connect VPN

apparatus · June 26, 2024, 10:33am

You can report it in the pull request:

github.com/tasket/Qubes-vpn-support

Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

opened 07:01PM - 25 May 23 UTC

1cho1ce

+153 -43

Qubes dropped iptables support and replaced it with nftables: https://github.co…m/QubesOS/qubes-core-agent-linux/commit/28b95535c7cbd15543c804e822c0e4c997f5966e This pull request replaces iptables with nftables. Removed `allow established input` rules from `proxy-firewall-restrict` since they are already present in nft tables ip/ip6 qubes. TODO: Need to think of a better way to check in `--check-firewall` in `qubes-vpn-setup` script if the forward drop rules are present (or `proxy-firewall-restrict` script finished successfully).

Saying that it has vulnerability but not telling where is it is unhelpful since there are people that use it and leaving them vulnerable is not good.

apparatus · June 26, 2024, 11:10am

It’s as helpful as you saying that Qubes OS has 0-day vulnerability but you won’t say where it is.
I’ve looked at the patch and I couldn’t notice any obvious vulnerability. But I’m not a programmer myself so I could miss something obvious to you.

barto · June 26, 2024, 12:10pm

At a quick glance I see a (potential) IPv6 DNS leak in that pull request #71.

apparatus · June 26, 2024, 12:35pm

Yes, there seems to be an issue with IPv6 DNS.
I guess instead of:

                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${qubes_dns_ip6[$i]}
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${qubes_dns_ip6[$i]}
                else
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${qubes_dns_ip6[0]}
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${qubes_dns_ip6[0]}

it should be:

                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${vpn_dns_ip6[$i]}
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${vpn_dns_ip6[$i]}
                else
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${vpn_dns_ip6[0]}
                    nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${vpn_dns_ip6[0]}

And if no Qubes OS virtual IPv6 DNS servers are used then the IPv6 DNS from VPN provider won’t be used and qubes will use their own IPv6 DNS servers. I saw a pull request from 1choice to add virtual IPv6 DNS support to Qubes OS so I guess that was related to this change. But anyway this was an issue in original Qubes-vpn-support as well since it didn’t handle IPv6 DNS at all.
And if no DNS is provided by VPN server then requests to virtual DNS IPs will leak from qubes. But this was an issue in original Qubes-vpn-support as well.

hohohoho · June 26, 2024, 12:51pm

Good find, I missed that, that is why I am not telling you about my find, this code requires audit.

apparatus · June 26, 2024, 12:57pm

Well, you did your own audit and found a bug, but you won’t tell anyone about it so it could be fixed.
@barto did a quick audit and found an issue and reported it so now it could be fixed.
I see no reason why you choose to conceal the bug. What kind of audit do you expect for this code? From some known security audit organization?
As I see it the users should check the code to the best of their abilities and report the issue if they found it so it could be fixed.

hohohoho · June 26, 2024, 1:07pm

Audit is already happening, you do it, I do it, just do it.

apparatus · June 26, 2024, 1:10pm

The point is that my skills are not enough to find the vulnerability that you’re talking about.
What if someone else besides you will find the same vulnerability that you’re talking about and instead of reporting it will just say the same thing as you “yes, there is a vulnerability but I won’t tell you what it is” and the issue will still persist. It’s unproductive.

solene · June 26, 2024, 4:45pm

If everyone was acting like this, we would never patch software upstream and a few people would compile from sources with local patch of issues they found. This would be unbearable.

ohohohoh · July 2, 2024, 7:33pm

LOL why you flagged my posts about vulnerability, you think it was a joke? Time to lough now:
The vulnerabilit - 1choice added forwarding rule from vpn to any vm and now anyone from vpn server can connect any vm, he also decided not use interface name in the rule and replaced it with 9, making it less invisible.

apparatus · July 3, 2024, 5:12am

You’re right, that’s a bug.
Reported here:

github.com/tasket/Qubes-vpn-support

Comment by apparatius - Replace iptables with nftables

tasket:master ← 1cho1ce:replace-iptables-with-nftables

There are a few errors in the PR with allowing traffic from VPN to qubes and typ…os related to IPv6. This was discussed here: https://forum.qubes-os.org/t/vpn-instructions-for-4-2/20738/78 <details> <summary>Here is a patch:</summary> ``` diff --git a/files-main/proxy-firewall-restrict b/files-main/proxy-firewall-restrict index a3aba10..8142ad2 100644 --- a/files-main/proxy-firewall-restrict +++ b/files-main/proxy-firewall-restrict @@ -22,11 +22,9 @@ nft chain ip6 qubes forward '{ policy drop; }' nft insert rule ip6 qubes custom-forward oifgroup 1 drop nft insert rule ip6 qubes custom-forward iifgroup 1 drop -# Accept forward traffic between dowstream (vif+, group 2) and VPN interface (group 9) +# Accept forward traffic from dowstream (vif+, group 2) to VPN interface (group 9) nft insert rule ip qubes custom-forward iifgroup 2 oifgroup 9 accept -nft insert rule ip qubes custom-forward iifgroup 9 oifgroup 2 accept nft insert rule ip6 qubes custom-forward iifgroup 2 oifgroup 9 accept -nft insert rule ip6 qubes custom-forward iifgroup 9 oifgroup 2 accept # Block INPUT from tunnel(s): nft chain ip qubes input '{ policy drop; }' diff --git a/files-main/qubes-vpn-ns b/files-main/qubes-vpn-ns index 62510d4..d510954 100644 --- a/files-main/qubes-vpn-ns +++ b/files-main/qubes-vpn-ns @@ -85,11 +85,11 @@ up) if [[ ${#vpn_dns_ip6[@]} != 0 ]] && [[ ${#qubes_dns_ip6[@]} != 0 ]]; then for i in $(seq 0 $((${#qubes_dns_ip6[@]} - 1))); do if [[ $i < ${#vpn_dns_ip6[@]} ]] ; then - nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${qubes_dns_ip6[$i]} - nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${qubes_dns_ip6[$i]} + nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${vpn_dns_ip6[$i]} + nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${vpn_dns_ip6[$i]} else - nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${qubes_dns_ip6[0]} - nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${qubes_dns_ip6[0]} + nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} tcp dport 53 dnat to ${vpn_dns_ip6[0]} + nft add rule ip6 qubes dnat-dns iifgroup 2 ip6 daddr ${qubes_dns_ip6[$i]} udp dport 53 dnat to ${vpn_dns_ip6[0]} fi done fi diff --git a/files-main/qubes-vpn-setup b/files-main/qubes-vpn-setup index 995ae33..f9b3512 100755 --- a/files-main/qubes-vpn-setup +++ b/files-main/qubes-vpn-setup @@ -53,7 +53,7 @@ firewall_link() { case "$1" in --check-firewall) for i in 1 2 3; do - if (nft -j -s list chain ip qubes custom-forward && nft -j -s list chain ip qubes custom-forward) | python3 -c " + if (nft -j -s list chain ip qubes custom-forward && nft -j -s list chain ip6 qubes custom-forward) | python3 -c " import sys, json; def main(): rule_out_ipv4_exists = False ``` </details> You can apply the patch using this command: ``` ~/Qubes-vpn-support$ git apply /path/to/patch ``` Additional notes: If no Qubes OS virtual IPv6 DNS servers are used then the IPv6 DNS from VPN provider won’t be used and qubes will use their own IPv6 DNS servers. I saw a pull request from 1choice to add virtual IPv6 DNS support to Qubes OS so I guess that was related to this change. If no DNS is provided by VPN server then requests to virtual DNS IPs will leak from qubes. I guess it's better to use some default DNS like 9.9.9.9 in case no DNS will be provided by VPN.

apparatus · July 3, 2024, 6:28am

Also note that the default firewall rules in qubes are blocking incoming connections so this will only affect qubes with custom firewall rules that allow incoming connections.

ohohohohoh · July 3, 2024, 1:13pm

@apparatus you removed ipv4 rule check by replacing it with ipv6 check, adding one new serious bug